I am running Percona for MySQL 5.7 with both pam_auth and the audit_log plugin enabled. Both work as expected. However, we want to exclude certain users from the audit log (via the variable audit_log_exclude_accounts) that authenticate via pam to a proxied user. Is this possible?
Example:
AD Security Group - mysql_ad_access has members (user_a, user_b, user_c)
We map the ad group mysql_ad_access to a proxy user called mysql_access_user in mysql (mysql.user table) via pam auth.
We set audit_log_exclude_accounts = user_a@%
Can we exclude activity from user_a@‘%’ while capturing activity for user_b and user_c?
It seems like it should be possible because auditing is capturing mysql_access_user[user_a] @ ‘%’ as the user in the audit log record.
“Query”,“657748_2021-06-19T12:25:02”,“2021-06-29T18:54:48 UTC”,“show_warnings”,“637681”,0,“/* java thread: UsrP-7~Main~VM 443096/11:54:47.598679 */ SHOW WARNINGS”,“mysql_access_user[user_a] @ [xxx.xxx.xxx.xxx]”,“”,“”,“xxx.xxx.xxx.xxx”,“”